Data source based application sandboxing

ABSTRACT

A computing device and a method for a computing device to control access to data stored on a data store of the device. An access component of the device having control over access to the data. The access component being operative to receive a request for data from a requesting component, identify an assigned access domain of the requesting component and an assigned data domain of the requested data and determine whether the requesting component is authorized to access the data by comparing the assigned access domain and the data domain with permissions specified in a security policy. If the assigned access domain is authorized to access the data domain, the access component may provide access to the requested data.

FIELD OF THE INVENTION

This invention relates to protecting information stored on a computingdevice. In particular, this invention relates to controlling theaccessibility of data stored on a computing device.

BACKGROUND OF THE INVENTION

Computing devices may be used for a variety of applications. While someapplications may generate and store sensitive data, other applicationsmay create innocuous or less sensitive data. In some instances, anapplication may generate sensitive data in some instances and lesssensitive data in other instances.

There is a need for a device and method for protecting data that avoidsthe limitations in the prior art.

BRIEF DESCRIPTION OF THE DRAWINGS

In drawings which illustrate by way of example only a preferredembodiment of the invention,

FIG. 1 is a block diagram of an embodiment of a mobile device.

FIG. 2 is a block diagram of an embodiment of a communication subsystemcomponent of the mobile device of FIG. 1.

FIG. 3 is an exemplary block diagram of a node of a wireless network foruse with the mobile device of FIG. 1.

FIG. 4a is a block diagram illustrating components of a host system inone exemplary configuration for use with the wireless network of FIG. 3and the mobile device of FIG. 1.

FIG. 4b is a block diagram illustrating an embodiment of a system.

FIG. 5a-c are block diagrams illustrating embodiments of an accesscomponent storing data.

FIG. 6a-b are block diagrams illustrating embodiments of a requestingcomponent requesting access to data controlled by an access component.

FIG. 7a-b are flow diagrams illustrating embodiments an access componentstoring data.

FIG. 8a-b are flow diagrams illustrating embodiments of an accesscomponent granting access to requested data.

DETAILED DESCRIPTION OF THE INVENTION

In an embodiment, a method is provided for a computing devicecontrolling access to data stored on a data store of the computingdevice, an access component of the computing device having control overaccess to the data, the method comprising the access component:receiving a request for data from a requesting component; identifying anassigned access domain of the requesting component and an assigned datadomain of the requested data based on a security policy; determiningwhether the requesting component is authorized to access the data bycomparing the assigned access domain and the assigned data domain withpermissions specified in a security policy; and, if the assigned accessdomain is authorized to access the assigned data domain, providingaccess to the data.

In an aspect of the method, the providing access may comprise any oneof: forwarding the requested data to the requesting component, writingan amendment specified by the forwarding component to the requested dataand storing the amended data in place of the requested data in the datastore, or deleting the requested data from the data store.

In an aspect of the method the identifying the assigned data domain ofthe data may comprise evaluating one or more data characteristics of thedata and identifying the assigned data domain based on the one or moredata characteristics and the security policy.

In an aspect of the method, the one or more data characteristics maycomprise a data domain identifier associated with the data, and theevaluating comprises retrieving the data domain identifier and matchingthe retrieved data domain identifier with a corresponding assigned datadomain specified in the security policy.

In an aspect of the method, the data may comprise a data objectaccessible to the access component and the evaluating one or more datacharacteristics may comprise the access component accessing the dataobject and analysing the data object to evaluate a content of the dataobject and comparing the content with data classifications defined inthe security policy to identify the assigned data domain.

In an aspect of the method, the identifying the assigned access domainof the requesting component may comprise receiving an access domainidentifier from the requesting component and matching the receivedaccess domain identifier with a corresponding assigned access domainspecified in the security policy to identify the assigned access domain.

In an aspect of the method, before the access component receives therequest, the access component may classify the data to assign a datadomain by: evaluating data characteristics of the data; comparing thedata characteristics with data classifications defined in the securitypolicy to assign a data domain; and, storing the data in the data storeassociated with the data domain. The identifying the assigned datadomain may comprise evaluating the data domain stored in associationwith the data, and comparing the data domain with data classificationsdefined in the security policy to identify the assigned data domain.

In an aspect of the method, the computing device may receive an updatedsecurity policy from a server over a network connection and thecomputing device may replace the security policy with the updatedsecurity policy such that operations of the access component that werebased on the security policy become based upon the updated securitypolicy.

In an aspect of the method, the computing device may receive an updatedsecurity policy from a server over a network connection, and theidentifying may comprise identifying the assigned access domain of therequesting component and the assigned data domain of the requested databased upon the updated security policy, and the comparing may comprisecomparing the assigned access domain and the assigned data domain withupdated permissions specified in the updated security policy.

In an embodiment, a computing device may be provided, the computingdevice operative to control access to data stored on a data store of thedevice, the computing device comprising: a processing unit incommunication with the data store; a requesting component operative onthe device to request data stored in the data store; an access componentoperative on the device to: control access to data stored in the datastore; receive requests for data from the requesting component; identifyan assigned access domain of the requesting component and an assigneddata domain of the data based on a security policy; determine whetherthe requesting component is authorized to access the data by comparingthe assigned access domain and the assigned data domain with permissionsspecified in the security policy; and, provide access to the data if theassigned access domain is authorized to access the assigned data domain.

In an aspect of the computing device, the access component may beoperative to identify the assigned data domain of the requested data byevaluating one or more data characteristics of the data and identifyingthe assigned data domain based on the one or more data characteristicsand the security policy.

In an aspect of the computing device, the one or more datacharacteristics may comprise a data domain identifier associated withthe data, and the access component may be operative to evaluate byretrieving the data domain identifier and matching the retrieved datadomain identifier with a corresponding assigned data domain specified inthe security policy.

In an aspect of the computing device, the data may comprise a dataobject and the access component may be operative to access the dataobject accessible to the access component and to evaluate the one ormore data characteristics by accessing the data object and analysing thedata object to evaluate a content of the data object and compare thecontent with data classifications defined in the security policy toidentify the assigned data domain.

In an aspect of the computing device, the access component may beoperative to identify the assigned access domain of the requestingcomponent when the access component receives an access domain identifierfrom the requesting component by matching the received access domainidentifier with a corresponding assigned access domain specified in thesecurity policy to identify the assigned access domain.

In an aspect of the computing device, the access component may beoperative to classify the data to assign a data domain before the accesscomponent receives the request, by: evaluating data characteristics ofthe data; comparing the data characteristics with data classificationsspecified in the security policy to assign a data domain; and, storingthe data in the data store associated with the data domain.

In an aspect of the computing device, the access component may beoperative to identify the assigned data domain by evaluating the datadomain stored in association with the data, and comparing the datadomain with data classifications defined in the security policy toidentify the assigned data domain.

In an aspect the computing device may further comprise a networkcommunications subsystem, the computing device may be operative toreceive an updated security policy from a server through the networkcommunications subsystem, and the access component is further operativeto replace the security policy with the updated security policy suchthat operations of the access component that were based on the securitypolicy become based upon the updated security policy.

In an aspect the computing device may be operative to receive an updatedsecurity policy from a server over a network connection, and theidentifying may comprise identifying the assigned access domain of therequesting component and the assigned data domain of the requested databased upon the updated security policy, and the comparing may comprisecomparing the assigned access domain and the assigned data domain withupdated permissions specified in the updated security policy.

The embodiments described herein may be implemented on a communicationdevice such as that illustrated in FIGS. 1 and 2. The communicationdevice may communicate with other devices over a wireless communicationsystem or enterprise system as illustrated in FIGS. 3 and 4 a. Thecommunication device 100 may be a mobile device with two-waycommunication and advanced data communication capabilities including thecapability to communicate with other mobile devices or computer systemsthrough a network of transceiver stations. The communication device 100can also have voice communication capabilities.

FIG. 1 is a block diagram of an exemplary embodiment of a communicationdevice 100. The communication device 100 includes a number of componentssuch as a main processor 102 that controls the overall operation of thecommunication device 100. Communication functions, including data andvoice communications, are performed through a communication subsystem104. Data received by the communication device 100 can be decompressedand decrypted by decoder 103, operating according to any suitabledecompression techniques, and encryption/decryption techniques accordingto various standards, such as Data Encryption Standard (DES), TripleDES, or Advanced Encryption Standard (AES)). Image data is typicallycompressed and decompressed in accordance with appropriate standards,such as JPEG, while video data is typically compressed and decompressedin accordance with appropriate standards, such as H.26x and MPEG-xseries standards.

The communication subsystem 104 receives messages from and sendsmessages to a wireless network 200. In this exemplary embodiment of thecommunication device 100, the communication subsystem 104 is configuredin accordance with one or more of Global System for Mobile Communication(GSM), General Packet Radio Services (GPRS) standards, Enhanced Data GSMEnvironment (EDGE) and Universal Mobile Telecommunications Service(UMTS). New standards are still being defined, but it is believed thatthey will have similarities to the network behavior described herein,and it will also be understood by persons skilled in the art that theembodiments described herein are intended to use any other suitablestandards that are developed in the future. The wireless link connectingthe communication subsystem 104 with the wireless network 200 representsone or more different Radio Frequency (RF) channels, operating accordingto defined protocols specified for GSM, GPRS, EDGE, or UMTS, andoptionally other network communications. With newer network protocols,these channels are capable of supporting both circuit switched voicecommunications and packet switched data communications.

Other wireless networks can also be associated with the communicationdevice 100 in variant implementations. The different types of wirelessnetworks that can be employed include, for example, data-centricwireless networks, voice-centric wireless networks, and dual-modenetworks that can support both voice and data communications over thesame physical base stations. Combined dual-mode networks include, butare not limited to, Code Division Multiple Access (CDMA) or CDMA2000networks, GSM/GPRS networks, third-generation (3G) networks like EDGE,HSPA, HSPA+, EVDO and UMTS, or fourth-generation (4G) networks such asLTE and LTE Advanced. Some other examples of data-centric networksinclude WiFi 802.11™, Mobitex™ and DataTAC™ network communicationsystems. Examples of other voice-centric data networks include PersonalCommunication Systems (PCS) networks like GSM and Time Division MultipleAccess (TDMA) systems. The mobile device 100 may be provided withadditional communication subsystems, such as the wireless LAN (WLAN)communication subsystem 105 also shown in FIG. 1. The WLAN communicationsubsystem may operate in accordance with a known network protocol suchas one or more of the 802.11™ family of standards developed by IEEE. Thecommunication subsystem 105 may be separate from, or integrated with,the communication subsystem 104 or with the short-range communicationsmodule 122. The main processor 102 also interacts with additionalsubsystems such as a Random Access Memory (RAM) 106, a flash memory 108,a display 110, an auxiliary input/output (I/O) subsystem 112, a dataport 114, a keyboard 116, a speaker 118, a microphone 120, theshort-range communications 122 and other device subsystems 124. Thecommunication device may also be provided with an accelerometer 111,which may be used to detect gravity- or motion-induced forces and theirdirection. Detection of such forces applied to the device 100 may beprocessed to determine a response of the device 100, such as anorientation of a graphical user interface displayed on the displayassembly 110 in response to a determination of the current orientationof which the device 100.

Some of the subsystems of the communication device 100 performcommunication-related functions, whereas other subsystems can provide“resident” or on-device functions. By way of example, the display 110and the keyboard 116 can be used for both communication-relatedfunctions, such as entering a text message for transmission over thenetwork 200, and device-resident functions such as a calculator or tasklist.

A rendering circuit 125 is included in the device 100. When a userspecifies that a data file is to be viewed on the display 110, therendering circuit 125 analyzes and processes the data file forvisualization on the display 110. Rendering data files originallyoptimized or prepared for visualization on large-screen displays on aportable electronic device display often requires additional processingprior to visualization on the small-screen portable electronic devicedisplays. This additional processing may be accomplished by therendering engine 125. As will be appreciated by those of skill in theart, the rendering engine can be implemented in hardware, software, or acombination thereof, and can comprise a dedicated image processor andassociated circuitry, or can be implemented within main processor 102.

The communication device 100 can send and receive communication signalsover the wireless network 200 after required network registration oractivation procedures have been completed. Network access is associatedwith a subscriber or user of the communication device 100. To identify asubscriber, the communication device 100 requires a SIM/RUIM card 126(i.e. Subscriber Identity Module or a Removable User Identity Module) oranother suitable identity module to be inserted into a SIM/RUIMinterface 128 in order to communicate with a network. The SIM/RUIM card126 is one type of a conventional “smart card” that can be used toidentify a subscriber of the communication device 100 and to personalizethe communication device 100, among other things. Without the SIM/RUIMcard 126, the communication device 100 is not fully operational forcommunication with the wireless network 200. By inserting the SIM/RUIMcard 126 into the SIM/RUIM interface 128, a subscriber can access allsubscribed services. Services can include: web browsing and messagingsuch as e-mail, voice mail, Short Message Service (SMS), and MultimediaMessaging Services (MMS). More advanced services can include: point ofsale, field service and sales force automation. The SIM/RUIM card 126includes a processor and memory for storing information. Once theSIM/RUIM card 126 is inserted into the SIM/RUIM interface 128, it iscoupled to the main processor 102. In order to identify the subscriber,the SIM/RUIM card 126 can include some user parameters such as anInternational Mobile Subscriber Identity (IMSI). An advantage of usingthe SIM/RUIM card 126 is that a subscriber is not necessarily bound byany single physical mobile device. The SIM/RUIM card 126 can storeadditional subscriber information for a mobile device as well, includingdatebook (or calendar) information and recent call information.Alternatively, user identification information can also be programmedinto the flash memory 108.

The communication device 100 may be a battery-powered device including abattery interface 132 for receiving one or more rechargeable batteries130. In at least some embodiments, the battery 130 can be a smartbattery with an embedded microprocessor. The battery interface 132 iscoupled to a regulator (not shown), which assists the battery 130 inproviding power V+ to the communication device 100. Although currenttechnology makes use of a battery, future technologies such as microfuel cells can provide the power to the communication device 100.

The communication device 100 also includes an operating system 134 andsoftware components 136 to 146 which are described in more detail below.The operating system 134 and the software components 136 to 146 that areexecuted by the main processor 102 are typically stored in a persistentstore such as the flash memory 108, which can alternatively be aread-only memory (ROM) or similar storage element (not shown). Thoseskilled in the art will appreciate that portions of the operating system134 and the software components 136 to 146, such as specific deviceapplications, or parts thereof, can be temporarily loaded into avolatile store such as the RAM 106. Other software components can alsobe included, as is well known to those skilled in the art.

The subset of software applications 136 that control basic deviceoperations, including data and voice communication applications, willnormally be installed on the communication device 100 during itsmanufacture. Other software applications include a message application138 that can be any suitable software program that allows a user of thecommunication device 100 to send and receive electronic messages.Various alternatives exist for the message application 138 as is wellknown to those skilled in the art. Messages that have been sent orreceived by the user are typically stored in the flash memory 108 of thecommunication device 100 or some other suitable storage element in thecommunication device 100. In at least some embodiments, some of the sentand received messages can be stored remotely from the device 100 such asin a data store of an associated host system that the communicationdevice 100 communicates with.

The software applications can further include a device state module 140,a Personal Information Manager (PIM) 142, and other suitable modules(not shown). The device state module 140 provides persistence, i.e. thedevice state module 140 ensures that important device data is stored inpersistent memory, such as the flash memory 108, so that the data is notlost when the communication device 100 is turned off or loses power.

The PIM 142 includes functionality for organizing and managing dataitems of interest to the user, such as, but not limited to, e-mail,contacts, calendar events, voice mails, appointments, and task items. APIM application has the ability to send and receive data items via thewireless network 200. PIM data items can be seamlessly integrated,synchronized, and updated via the wireless network 200 with the mobiledevice subscriber's corresponding data items stored and/or associatedwith a host computer system. This functionality creates a mirrored hostcomputer on the communication device 100 with respect to such items.This can be particularly advantageous when the host computer system isthe mobile device subscriber's office computer system. Some or all ofthe data items stored at the communication device 100 may be indexed forsearching on the device 100 either through a corresponding application,such as the PIM 142, or another suitable module. In addition, the itemsmay be searchable using a unified search process implemented in thedevice operating system 134. For example, application data items can beencapsulated in a searchable entity class and registered with a unifiedsearch engine on the device 100 that executes searches against allregistered data repositories on the device based on received queries.The search engine can also be configured to invoke a search process ofexternal resources, such as Internet search engines or remote databases.

The communication device 100 also includes a connect module 144, and aninformation technology (IT) policy module 146. The connect module 144implements the communication protocols that are required for thecommunication device 100 to communicate with the wireless infrastructureand any host system, such as an enterprise system, that thecommunication device 100 is authorized to interface with. Examples of awireless infrastructure and an enterprise system are given in FIGS. 3and 4, which are described in more detail below.

The connect module 144 includes a set of Application ProgrammingInterfaces (APIs) that can be integrated with the communication device100 to allow the communication device 100 to use any number of servicesassociated with the enterprise system or with other systems accessibleover the network 200. The connect module 144 allows the communicationdevice 100 to establish an end-to-end secure, authenticatedcommunication pipe with the host system. A subset of applications forwhich access is provided by the connect module 144 can be used to passIT policy commands from the host system to the communication device 100.This can be done in a wireless or wired manner. These instructions canthen be passed to the IT policy module 146 to modify the configurationof the device 100. Alternatively, in some cases, the IT policy updatecan also be done over a wired connection.

Other types of software applications can also be installed on thecommunication device 100. These software applications can be third partyapplications, which are added after the manufacture of the communicationdevice 100. Examples of third party applications include games,calculators, utilities, etc.

The additional applications can be loaded onto the communication device100 through at least one of the wireless network 200, the auxiliary I/Osubsystem 112, the data port 114, the short-range communicationssubsystem 122, or any other suitable device subsystem 124. Thisflexibility in application installation increases the functionality ofthe communication device 100 and can provide enhanced on-devicefunctions, communication-related functions, or both. For example, securecommunication applications can enable electronic commerce functions andother such financial transactions to be performed using thecommunication device 100.

The data port 114 enables a subscriber to set preferences through anexternal device or software application and extends the capabilities ofthe communication device 100 by providing for information or softwaredownloads to the communication device 100 other than through a wirelesscommunication network. The alternate download path can, for example, beused to load an encryption key onto the communication device 100 througha direct and thus reliable and trusted connection to provide securedevice communication. The data port 114 can be any suitable port thatenables data communication between the communication device 100 andanother computing device. The data port 114 can be a serial or aparallel port. In some instances, the data port 114 can be a USB portthat includes data lines for data transfer and a supply line that canprovide a charging current to charge the battery 130 of thecommunication device 100.

The short-range communications subsystem 122 provides for communicationbetween the communication device 100 and different systems or devices,without the use of the wireless network 200. For example, the subsystem122 can include an infrared device and associated circuits andcomponents for short-range communication. Examples of short-rangecommunication standards include standards developed by the Infrared DataAssociation (IrDA), Bluetooth™, and the 802.11™ family of standards.

In use, a received signal such as a text message, an e-mail message, orweb page download will be processed by the communication subsystem 104and input to the main processor 102. The main processor 102 will thenprocess the received signal for output to the display 110 oralternatively to the auxiliary I/O subsystem 112. A subscriber can alsocompose data items, such as e-mail messages, for example, using thekeyboard 116 in conjunction with the display 110 and possibly theauxiliary I/O subsystem 112. The auxiliary subsystem 112 can includedevices such as: a touchscreen, mouse, track ball, infrared fingerprintdetector, or a roller wheel with dynamic button pressing capability. Thekeyboard 116 may be an alphanumeric keyboard and/or telephone-typekeypad. However, other types of keyboards can also be used. A composeditem can be transmitted over the wireless network 200 through thecommunication subsystem 104. It will be appreciated that if the display110 comprises a touchscreen, then the auxiliary subsystem 112 may stillcomprise one or more of the devices identified above.

For voice communications, the overall operation of the communicationdevice 100 is substantially similar, except that the received signalsare output to the speaker 118, and signals for transmission aregenerated by the microphone 120. Alternative voice or audio I/Osubsystems, such as a voice message recording subsystem, can also beimplemented on the communication device 100. Although voice or audiosignal output is accomplished primarily through the speaker 118, thedisplay 110 can also be used to provide additional information such asthe identity of a calling party, duration of a voice call, or othervoice call related information.

FIG. 2 shows an exemplary block diagram of the communication subsystemcomponent 104. The communication subsystem 104 includes a receiver 150,a transmitter 152, as well as associated components such as one or moreembedded or internal antenna elements 154 and 156, Local Oscillators(LOs) 158, and a processing module such as a Digital Signal Processor(DSP) 160. The particular design of the communication subsystem 104 isdependent upon the communication network 200 with which thecommunication device 100 is intended to operate. Thus, it should beunderstood that the design illustrated in FIG. 2 serves only as oneexample.

Signals received by the antenna 154 through the wireless network 200 areinput to the receiver 150, which can perform such common receiverfunctions as signal amplification, frequency down conversion, filtering,channel selection, and analog-to-digital (A/D) conversion. A/Dconversion of a received signal allows more complex communicationfunctions such as demodulation and decoding to be performed in the DSP160. In a similar manner, signals to be transmitted are processed,including modulation and encoding, by the DSP 160. These DSP-processedsignals are input to the transmitter 152 for digital-to-analog (D/A)conversion, frequency up conversion, filtering, amplification andtransmission over the wireless network 200 via the antenna 156. The DSP160 not only processes communication signals, but also provides forreceiver and transmitter control. For example, the gains applied tocommunication signals in the receiver 150 and the transmitter 152 can beadaptively controlled through automatic gain control algorithmsimplemented in the DSP 160.

The wireless link between the communication device 100 and the wirelessnetwork 200 can contain one or more different channels, typicallydifferent RF channels, and associated protocols used between thecommunication device 100 and the wireless network 200. An RF channel isa limited resource that should be conserved, typically due to limits inoverall bandwidth and limited battery power of the communication device100. When the communication device 100 is fully operational, thetransmitter 152 is typically keyed or turned on only when it istransmitting to the wireless network 200 and is otherwise turned off toconserve resources. Similarly, the receiver 150 is periodically turnedoff to conserve power until it is needed to receive signals orinformation (if at all) during designated time periods. Othercommunication subsystems, such as the WLAN communication subsystem 105shown in FIG. 1, may be provided with similar components as thosedescribed above configured for communication over the appropriatefrequencies and using the appropriate protocols.

FIG. 3 is a block diagram of an exemplary implementation of a node 202of the wireless network 200. In practice, the wireless network 200comprises one or more nodes 202. In conjunction with the connect module144, the communication device 100 can communicate with the node 202within the wireless network 200. In the exemplary implementation of FIG.3, the node 202 is configured in accordance with General Packet RadioService (GPRS) and Global Systems for Mobile (GSM) technologies. Thenode 202 includes a base station controller (BSC) 204 with an associatedtower station 206, a Packet Control Unit (PCU) 208 added for GPRSsupport in GSM, a Mobile Switching Center (MSC) 210, a Home LocationRegister (HLR) 212, a Visitor Location Registry (VLR) 214, a ServingGPRS Support Node (SGSN) 216, a Gateway GPRS Support Node (GGSN) 218,and a Dynamic Host Configuration Protocol (DHCP) 220. This list ofcomponents is not meant to be an exhaustive list of the components ofevery node 202 within a GSM/GPRS network, but rather a list ofcomponents that are commonly used in communications through the network200.

In a GSM network, the MSC 210 is coupled to the BSC 204 and to alandline network, such as a Public Switched Telephone Network (PSTN) 222to satisfy circuit switched requirements. The connection through the PCU208, the SGSN 216 and the GGSN 218 to a public or private network(Internet) 224 (also referred to herein generally as a shared networkinfrastructure) represents the data path for GPRS capable mobiledevices. In a GSM network extended with GPRS capabilities, the BSC 204also contains the Packet Control Unit (PCU) 208 that connects to theSGSN 216 to control segmentation, radio channel allocation and tosatisfy packet switched requirements. To track the location of thecommunication device 100 and availability for both circuit switched andpacket switched management, the HLR 212 is shared between the MSC 210and the SGSN 216. Access to the VLR 214 is controlled by the MSC 210.

The station 206 is a fixed transceiver station and together with the BSC204 form fixed transceiver equipment. The fixed transceiver equipmentprovides wireless network coverage for a particular coverage areacommonly referred to as a “cell”. The fixed transceiver equipmenttransmits communication signals to and receives communication signalsfrom mobile devices within its cell via the station 206. The fixedtransceiver equipment normally performs such functions as modulation andpossibly encoding and/or encryption of signals to be transmitted to thecommunication device 100 in accordance with particular, usuallypredetermined, communication protocols and parameters, under control ofits controller. The fixed transceiver equipment similarly demodulatesand possibly decodes and decrypts, if necessary, any communicationsignals received from the communication device 100 within its cell.Communication protocols and parameters can vary between different nodes.For example, one node can employ a different modulation scheme andoperate at different frequencies than other nodes.

For all communication devices 100 registered with a specific network,permanent configuration data such as a user profile is stored in the HLR212. The HLR 212 also contains location information for each registeredmobile device and can be queried to determine the current location of amobile device. The MSC 210 is responsible for a group of location areasand stores the data of the mobile devices currently in its area ofresponsibility in the VLR 214. Further, the VLR 214 also containsinformation on mobile devices that are visiting other networks. Theinformation in the VLR 214 includes part of the permanent mobile devicedata transmitted from the HLR 212 to the VLR 214 for faster access. Bymoving additional information from a remote HLR 212 node to the VLR 214,the amount of traffic between these nodes can be reduced so that voiceand data services can be provided with faster response times and at thesame time requiring less use of computing resources.

The SGSN 216 and the GGSN 218 are elements added for GPRS support;namely packet switched data support, within GSM. The SGSN 216 and theMSC 210 have similar responsibilities within the wireless network 200 bykeeping track of the location of each communication device 100. The SGSN216 also performs security functions and access control for data trafficon the wireless network 200. The GGSN 218 provides internetworkingconnections with external packet switched networks and connects to oneor more SGSNs 216 via an Internet Protocol (IP) backbone networkoperated within the network 200. During normal operations, a givencommunication device 100 must perform a “GPRS Attach” to acquire an IPaddress and to access data services. This requirement is not present incircuit switched voice channels as Integrated Services Digital Network(ISDN) addresses are used for routing incoming and outgoing calls.Currently, all GPRS capable networks use private, dynamically assignedIP addresses, thus requiring the DHCP server 220 connected to the GGSN218. There are many mechanisms for dynamic IP assignment, includingusing a combination of a Remote Authentication Dial-In User Service(RADIUS) server and a DHCP server. Once the GPRS Attach is complete, alogical connection is established from a communication device 100,through the PCU 208, and the SGSN 216 to an Access Point Node (APN)within the GGSN 218. The APN represents a logical end of an IP tunnelthat can either access direct Internet compatible services or privatenetwork connections. The APN also represents a security mechanism forthe network 200, insofar as each communication device 100 must beassigned to one or more APNs and communication devices 100 cannotexchange data without first performing a GPRS Attach to an APN that ithas been authorized to use. The APN can be considered to be similar toan Internet domain name such as “myconnection.wireless.com”.

Once the GPRS Attach operation is complete, a tunnel is created and alltraffic is exchanged within standard IP packets using any protocol thatcan be supported in IP packets. This includes tunneling methods such asIP over IP as in the case with some IPSecurity (Ipsec) connections usedwith Virtual Private Networks (VPN). These tunnels are also referred toas Packet Data Protocol (PDP) Contexts and there are a limited number ofthese available in the network 200. To maximize use of the PDP Contexts,the network 200 will run an idle timer for each PDP Context to determineif there is a lack of activity. When a communication device 100 is notusing its PDP Context, the PDP Context can be de-allocated and the IPaddress returned to the IP address pool managed by the DHCP server 220.

FIG. 4A is a block diagram illustrating components of an exemplaryconfiguration of a host system 250 with which the communication device100 can communicate in conjunction with the connect module 144. The hostsystem 250 will typically be a corporate enterprise or other local areanetwork (LAN), but can also be a home office computer or some otherprivate system, for example, in variant implementations. In the exampleshown in FIG. 4, the host system 250 is depicted as a LAN of anorganization to which a user of the communication device 100 belongs.Typically, a plurality of mobile devices can communicate wirelessly withthe host system 250 through one or more nodes 202 of the wirelessnetwork 200.

The host system 250 comprises a number of network components connectedto each other by a network 260. For instance, a user's desktop computer262 a with an accompanying cradle 264 for the user's communicationdevice 100 is situated on a LAN connection. The cradle 264 for thecommunication device 100 can be coupled to the computer 262 a by aserial or a Universal Serial Bus (USB) connection, for example. Otheruser computers 262 b-262 n are also situated on the network 260, andeach can be equipped with an accompanying cradle 264. The cradle 264facilitates the loading of information (e.g. PIM data, private symmetricencryption keys to facilitate secure communications) from the usercomputer 262 a to the communication device 100, and can be particularlyuseful for bulk information updates often performed in initializing thecommunication device 100 for use. The information downloaded to thecommunication device 100 can include certificates used in the exchangeof messages.

It will be understood by persons skilled in the art that the usercomputers 262 a-262 n are typically also connected to other peripheraldevices, such as printers, etc., which are not explicitly shown in FIG.4. Furthermore, only a subset of network components of the host system250 are shown in FIG. 4A for ease of exposition, and it will beunderstood by persons skilled in the art that the host system 250 willcomprise additional components that are not explicitly shown in FIG. 4Afor this exemplary configuration. More generally, the host system 250can represent a smaller part of a larger network (not shown) of theorganization, and can comprise different components and/or be arrangedin different topologies than that shown in the exemplary embodiment ofFIG. 4.

To facilitate the operation of the communication device 100 and thewireless communication of messages and message-related data between thecommunication device 100 and components of the host system 250, a numberof wireless communication support components 270 can be provided. Insome implementations, the wireless communication support components 270can include a message management server 272, a mobile data server 274, aweb server, such as Hypertext Transfer Protocol (HTTP) server 275, acontact server 276, and a device manager module 278. HTTP servers canalso be located outside the enterprise system, as indicated by the HTTPserver 279 attached to the network 224. The device manager module 278includes an IT Policy editor 280 and an IT user property editor 282, aswell as other software components for allowing an IT administrator toconfigure the communication devices 100. In an alternative embodiment,there can be one editor that provides the functionality of both the ITpolicy editor 280 and the IT user property editor 282. The supportcomponents 270 also include a data store 284, and an IT policy server286. The IT policy server 286 includes a processor 288, a networkinterface 290 and a memory unit 292. The processor 288 controls theoperation of the IT policy server 286 and executes functions related tothe standardized IT policy as described below. The network interface 290allows the IT policy server 286 to communicate with the variouscomponents of the host system 250 and the communication devices 100. Thememory unit 292 can store functions used in implementing the IT policyas well as related data. Those skilled in the art know how to implementthese various components. Other components can also be included as iswell known to those skilled in the art. Further, in someimplementations, the data store 284 can be part of any one of theservers.

In this exemplary embodiment, the communication device 100 communicateswith the host system 250 through node 202 of the wireless network 200and a shared network infrastructure 224 such as a service providernetwork or the public Internet. Access to the host system 250 can beprovided through one or more routers (not shown), and computing devicesof the host system 250 can operate from behind a firewall or proxyserver 266. The proxy server 266 provides a secure node and a wirelessinternet gateway for the host system 250. The proxy server 266intelligently routes data to the correct destination server within thehost system 250.

In some implementations, the host system 250 can include a wireless VPNrouter (not shown) to facilitate data exchange between the host system250 and the communication device 100. The wireless VPN router allows aVPN connection to be established directly through a specific wirelessnetwork to the communication device 100. The wireless VPN router can beused with the Internet Protocol (IP) Version 6 (IPV6) and IP-basedwireless networks. This protocol can provide enough IP addresses so thateach mobile device has a dedicated IP address, making it possible topush information to a mobile device at any time. An advantage of using awireless VPN router is that it can be an off-the-shelf VPN component,and does not require a separate wireless gateway and separate wirelessinfrastructure. A VPN connection may be a Transmission Control Protocol(TCP)/IP or User Datagram Protocol (UDP)/IP connection for deliveringthe messages directly to the communication device 100 in thisalternative implementation.

Messages intended for a user of the communication device 100 areinitially received by a message server 268 of the host system 250. Suchmessages can originate from any number of sources. For instance, amessage can have been sent by a sender from the computer 262 b withinthe host system 250, from a different mobile device (not shown)connected to the wireless network 200 or a different wireless network,or from a different computing device, or other device capable of sendingmessages, via the shared network infrastructure 224, possibly through anapplication service provider (ASP) or Internet service provider (ISP),for example.

The message server 268 typically acts as the primary interface for theexchange of messages, particularly e-mail messages, within theorganization and over the shared network infrastructure 224. Each userin the organization that has been set up to send and receive messages istypically associated with a user account managed by the message server268. Some exemplary implementations of the message server 268 include aMicrosoft Exchange™ server, a Lotus Domino™ server, a Novell Groupwise™server, or another suitable mail server installed in a corporateenvironment. In some implementations, the host system 250 can comprisemultiple message servers 268. The message server 268 can also be adaptedto provide additional functions beyond message management, including themanagement of data associated with calendars and task lists, forexample.

When messages are received by the message server 268, they are typicallystored in a data store associated with the message server 268. In atleast some embodiments, the data store can be a separate hardware unit,such as data store 284, with which the message server 268 communicates.Messages can be subsequently retrieved and delivered to users byaccessing the message server 268. For instance, an e-mail clientapplication operating on a user's computer 262 a can request the e-mailmessages associated with that user's account stored on the data storeassociated with the message server 268. These messages are thenretrieved from the data store and stored locally on the computer 262 a.The data store associated with the message server 268 can store copiesof each message that is locally stored on the communication device 100.Alternatively, the data store associated with the message server 268 canstore all of the messages for the user of the communication device 100and only a smaller number of messages can be stored on the communicationdevice 100 to conserve memory. For instance, the most recent messages(i.e. those received in the past two to three months for example) can bestored on the communication device 100.

When operating the communication device 100, the user may wish to havee-mail messages retrieved for delivery to the communication device 100.The message application 138 operating on the communication device 100can also request messages associated with the user's account from themessage server 268. The message application 138 can be configured(either by the user or by an administrator, possibly in accordance withan organization's IT policy) to make this request at the direction ofthe user, at some pre-defined time interval, or upon the occurrence ofsome pre-defined event. In some implementations, the communicationdevice 100 is assigned its own e-mail address, and messages addressedspecifically to the communication device 100 are automaticallyredirected to the communication device 100 as they are received by themessage server 268.

The message management server 272 can be used to specifically providesupport for the management of messages, such as e-mail messages, thatare to be handled by mobile devices. Generally, while messages are stillstored on the message server 268, the message management server 272 canbe used to control when, if, and how messages are sent to thecommunication device 100. The message management server 272 alsofacilitates the handling of messages composed on the communicationdevice 100, which are sent to the message server 268 for subsequentdelivery.

For example, the message management server 272 can monitor the user's“mailbox” (e.g. the message store associated with the user's account onthe message server 268) for new e-mail messages, and applyuser-definable filters to new messages to determine if and how themessages are relayed to the user's communication device 100. The messagemanagement server 272 can also, through an encoder (not shown)associated therewith, compress message data, using any suitablecompression/decompression technology (e.g. YK compression, JPEG, MPEG-x,H.26x, and other known techniques) and encrypt messages (e.g. using anencryption technique such as Data Encryption Standard (DES), Triple DES,or Advanced Encryption Standard (AES)), and push them to thecommunication device 100 via the shared network infrastructure 224 andthe wireless network 200. The message management server 272 can alsoreceive messages composed on the communication device 100 (e.g.encrypted using Triple DES), decrypt and decompress the composedmessages, re-format the composed messages if desired so that they willappear to have originated from the user's computer 262 a, and re-routethe composed messages to the message server 268 for delivery.

Certain properties or restrictions associated with messages that are tobe sent from and/or received by the communication device 100 can bedefined (e.g. by an administrator in accordance with IT policy) andenforced by the message management server 272. These may include whetherthe communication device 100 can receive encrypted and/or signedmessages, minimum encryption key sizes, whether outgoing messages mustbe encrypted and/or signed, and whether copies of all secure messagessent from the communication device 100 are to be sent to a pre-definedcopy address, for example.

The message management server 272 can also be adapted to provide othercontrol functions, such as only pushing certain message information orpre-defined portions (e.g. “blocks”) of a message stored on the messageserver 268 to the communication device 100. For example, in some cases,when a message is initially retrieved by the communication device 100from the message server 268, the message management server 272 can pushonly the first part of a message to the communication device 100, withthe part being of a pre-defined size (e.g. 2 KB). The user can thenrequest that more of the message be delivered in similar-sized blocks bythe message management server 272 to the communication device 100,possibly up to a maximum pre-defined message size. Accordingly, themessage management server 272 facilitates better control over the typeof data and the amount of data that is communicated to the communicationdevice 100, and can help to minimize potential waste of bandwidth orother resources.

The mobile data server 274 encompasses any other server that storesinformation that is relevant to the corporation. The mobile data server274 can include, but is not limited to, databases, online data documentrepositories, customer relationship management (CRM) systems, orenterprise resource planning (ERP) applications. The mobile data server274 can also connect to the Internet or other public network, throughHTTP server 275 or other suitable web server such as an File TransferProtocol (FTP) server, to retrieve HTTP webpages and other data.Requests for webpages are typically routed through mobile data server274 and then to HTTP server 275, through suitable firewalls and otherprotective mechanisms. The web server then retrieves the webpage overthe Internet, and returns it to mobile data server 274. As describedabove in relation to message management server 272, mobile data server274 is typically provided, or associated, with an encoder 277 thatpermits retrieved data, such as retrieved webpages, to be decompressedand compressed, using any suitable compression technology (e.g. YKcompression, JPEG, MPEG-x, H.26x and other known techniques), andencrypted (e.g. using an encryption technique such as DES, Triple DES,or AES), and then pushed to the communication device 100 via the sharednetwork infrastructure 224 and the wireless network 200. While encoder277 is only shown for mobile data server 274, it will be appreciatedthat each of message server 268, message management server 272, and HTTPservers 275 and 279 can also have an encoder associated therewith.

The contact server 276 can provide information for a list of contactsfor the user in a similar fashion as the address book on thecommunication device 100. Accordingly, for a given contact, the contactserver 276 can include the name, phone number, work address and e-mailaddress of the contact, among other information. The contact server 276can also provide a global address list that contains the contactinformation for all of the contacts associated with the host system 250.

It will be understood by persons skilled in the art that the messagemanagement server 272, the mobile data server 274, the HTTP server 275,the contact server 276, the device manager module 278, the data store284 and the IT policy server 286 do not need to be implemented onseparate physical servers within the host system 250. For example, someor all of the functions associated with the message management server272 can be integrated with the message server 268, or some other serverin the host system 250. Alternatively, the host system 250 can comprisemultiple message management servers 272, particularly in variantimplementations where a large number of mobile devices need to besupported.

The device manager module 278 provides an IT administrator with agraphical user interface with which the IT administrator interacts toconfigure various settings for the communication devices 100. Asmentioned, the IT administrator can use IT policy rules to definebehaviors of certain applications on the communication device 100 thatare permitted such as phone, web browser or Instant Messenger use. TheIT policy rules can also be used to set specific values forconfiguration settings that an organization requires on thecommunication devices 100 such as auto signature text, WLAN/VoIP/VPNconfiguration, security requirements (e.g. encryption algorithms,password rules, etc.), specifying themes or applications that areallowed to run on the communication device 100, and the like.

In an embodiment, a computing device 100 may be provided that isoperative to categorise and assign data based upon a characteristic ofthe data into a security classification or data domain. In an aspect,the device 100 may be operative to control access to the stored data andlimit access to requesting components assigned to an access domain thathas permission to access the data domain assigned to the requested data.The data domains, access domains and permissions may be defined by asecurity policy.

In an embodiment, a system may be provided whereby an external server,such as a server in host system 250, may set the security policy tocontrol access to data used on computing devices such as mobile device100. In an aspect, a user of the computing device may set or modify thesecurity policy.

In an aspect, the classification and access to data is controlled by oneor more access components operative on the computing device. The accesscomponents may each be responsible for a specific class or type of datastored on the computing device and operative to access and modify thattype of data.

Referring to FIG. 4b , in an embodiment a host server 410, such as aserver within host system 250, may comprise a host data store 412. Thehost server 410 may be connected through a public or private network454, such as a corporate LAN or the Internet, to a wireless network 450which may include one or more network nodes 452. A mobile computingdevice 400, such as mobile device 100, in communication with thewireless network 450 may receive the security policy through thewireless network 450 from the host server 410 and store the securitypolicy, or security information from the security policy, in a devicedata store 402. The security policy, or security information from thesecurity policy, may define data domains, access domains andcorresponding permissions for the access domains. In an aspect, thesecurity policy may further specify data domains in terms of dataclassifications to allow a comparison of data characteristics of aspecific data item with the data classifications to assign a data domainto the specific data item. In an aspect, the data item may comprise adata object, and the data classifications may identify characteristicsof content within the data object to define and assign a data domain tothe data object.

The permissions may grant access rights and levels of access torequesting components assigned to each access domain. At least oneaccess component having control over the stored data, may allow accessto the stored data by evaluating the access domain of a requestingcomponent, evaluating the data domain of the requested data based upon asecurity policy in force at the time of request to identify an assignedaccess domain and an assigned data domain. The access component mayfurther determine whether the requesting component is authorized toaccess the requested data by comparing the assigned access domain andthe assigned data domain with permissions specified or defined in thecurrent security policy. The current security policy may further placeconditions or rights of access to a requesting component of an assignedaccess domain requesting access to data of an assigned data domain.

In an embodiment, the security policy sent by the host server 410 may beupdated and an updated security policy sent to the computing device 400.The access components of the computing device 400 may use the updatedsecurity policy in place of the security policy, allowing the hostserver 410 to specify changes to permissions of access domains to accessdata domains.

In an aspect, the computing device 400 may compare data characteristicsof data stored in a data store of the computing device 400 with theupdated security policy such that rights of access may change based uponboth the current content of the data and the updated security policy.

In an embodiment, the computing device 400 may employ access components,such as applications running on the device that are operative to controlaccess to data stored on the device 400. The access components may eachclassify data handled by that filing component according to datacharacteristics and assign the classified data to the data domainsspecified in the security policy. The access component may store theclassified data in one or more data stores accessible to, and in someembodiments under the sole control of, the access component. In anaspect, the data stores may be resident on the computing device 400. Inan aspect, the data stores may be accessible by the computing deviceover a network connection, such as a corporate data store maintained inhost system 250.

The access components may, in an embodiment, be further operative tocontrol access to the classified data by requiring requesting componentsoperating on the device 400 that request data controlled by the accesscomponent to comply with the current security policy. In an aspect, theaccess components may require a requesting component to be authorized toaccess data by evaluating an access domain assigned to the requestingcomponent by the current security policy.

For instance, trusted components may be assigned by the security policyto access domains that allow access and full control over sensitiveinformation that has been assigned to a restricted data domain. Thirdparty components, which may be untrusted, may be assigned to accessdomains that limit access to data domains of public or common data oflow-sensitivity or a data domain for data created by or downloaded bythe third party component. The security policy may provide furthercontrol by setting a level of access to an access domain-data domaincombination that limits what actions a requesting component can takewith respect to the requested data. For instance, in an aspect, arequesting component may be granted read access but not write access toa data domain.

Referring to FIG. 5a , in an aspect, a data originating device 500 maysend external data 505 to data storing device 510 such as device 100.The external data 505 may have a data domain assigned by the dataoriginating device 500 that is communicated as domain data to the datastoring device 510 along with the external data 505. In an embodiment,the domain data may comprise meta data of the external data 505.

Referring to FIG. 5b , the external data 505, and domain data, arepassed within device 510 to an access component 512. The accesscomponent 512 may comprise an application that is assigned control over,and is operative to access and process, a type of data stored in datastore 514 on data storing device 510. Access component 512 receives theexternal data 505 and domain data, evaluates the domain data and storesthe external data 505 in data storage 514, associated with the datadomain. The access component 512 may further process the external data505 before storing the processed data associated with the data domain inplace of the external data 505.

An example of an access component 512 may include an address bookapplication for storing contact information or, a mail program forreceiving, generating, sending and storing mail messages, for instance.The applications maintain control over a specific data type, stored andorganised by the applications. In this aspect, the processing maycomprise, for instance, converting the external data 505 from a firstdata type into a second data type, adding data to an existing entrystored in application data store 514 or deleting/amending data from anexisting entry stored in application data store 514.

In embodiments where the data originating device 500 does not assign adata domain to the external data 505, access component 512 may associatea data domain based upon a security policy as applied to datacharacteristics of the external data 505. The data characteristics mayinclude, for instance, such factors as: an identity of the dataoriginating device 500, a source of the data, a data type of the data, auser classification, a content of the data or other datacharacteristics. In an aspect, the data storing device 510 may solicitinput from a user of the device to assign a data domain to the externaldata 505. The choice of data domains presented to the user may bedefined by a security policy, wherein characteristics of the externaldata 505 are evaluated by the access component 512, in consultation withthe security policy to identify a selection of data domains to bepresented to the user for selection. In an aspect, the access componentmay be operative to access the external data 505, and evaluate contentof the external data 505 to classify the external data 505 to a datadomain.

Referring to FIG. 7a , an embodiment of the operation of the accesscomponent 512 for filing external data 505 may start when device 510receives external data 505 and domain data assigning the external data505 to a data domain from a data originating device 500 in step 700. Thedevice 510 directs the external data 505 to access component 512 forstorage in a data store 514 in step 710. Access component 512 maycomprise a filing system, an API or application, for instance, that hascontrol over access to data stored in data store 514. Access component512 evaluates the external data 505 to determine a data domain of theexternal data 505 in step 720. In an aspect, the evaluation may comprisecomparing a data domain identifier sent with the external data 505 withdata classifications specified in the security policy to associate theexternal data 505 with the data domain. In an aspect, the accesscomponent 512 may be operative to associate a data domain to data thathas not already been assigned to a data domain by comparing datacharacteristics of the external data 505 with data classificationsspecified in the security policy. Access component 512 stores theexternal data 505 in data storage 514, associated with the data domainin step 730. The access component 512 may associate the data domain by,for instance, storing the external data 505 within a portion of datastorage 514 allocated to the domain; attaching a flag, pointer, metadata or identifier to the stored data; maintaining a table or databaseidentifying data by domain, or other known means of preserving anassociation.

Data that has not been associated with a data domain by a dataoriginating device 500, or a data generating component operating on thedata storing device 510, may also be associated with a data domain bythe access component. Referring to FIG. 5c , an access component 512,such as an application generating or controlling data, may generate orreceive data to be stored in data store 514. For instance, an addressbook application may generate or receive address book information to bestored in the address book maintained in data store 514. The accesscomponent 512 may evaluate data characteristics of the data, compare thedata characteristics with data classifications specified in the securitypolicy and associate the data with a data domain. In an aspect, the dataclassifications may specify a source of the data, a data type of thedata, a user classification, or keywords as specified in a content ofthe data. The data may then be stored in data store 514 associated withthe data domain.

Referring to FIG. 7b , in an embodiment, the access component 512 maygenerate or receive data to be stored in step 750. The access component512 may classify the data according to a set of criteria in accordancewith a policy in step 760. In an aspect, the classification may comprisecomparing data characteristics of the data with data classificationsspecified in the security policy. The classified data may be associatedwith a data domain in accordance with the security policy in step 770.The classified data may be stored in the data store 514, associated withthe data domain in step 780.

In an embodiment, stored data may be retrieved by device components thathave permission to access the data domain assigned to the stored databased upon a current security policy maintained on the computing device.Referring to FIG. 6a , computing device 610 may include a requestingcomponent 615, access component 617 and a data store 614 controlled bythe access component 614.

Requesting component 615 may comprise, for instance, an applicationoperating on the device or a subsystem of the device that requires datato service a request. Access component 617 may comprise, for instance anapplication that is assigned control over, and is operative to accessand evaluate, a data type stored in data store 614.

Referring to FIG. 8a , in an embodiment, access component 617 mayreceive a request for data from data store 614 controlled by accesscomponent 617 from the requesting component 615 in step 800. The requestmay include an access domain assigned to the requesting component 615,or may include a component identifier that may be used by the accesscomponent 617 to assign an access domain as specified in the currentsecurity policy. In an embodiment, the access component 617 may maintaina record of components and their assigned domains, for instance as alook-up table or database. The record may be updated by the accesscomponent 617 based upon security information obtained from the securitypolicy. In an embodiment, the record of components and their assigneddomains may be specified in a current security policy accessible by theaccess component 617 at the time the request is serviced.

Access component 617 identifies the assigned access domain of therequesting component 615 and the assigned data domain of the requesteddata in step 810. In an embodiment, access component 617 may access datastore 614 to determine the data domain associated with the requesteddata and then consult the current security policy to obtain the assigneddata domain. In embodiments where access component 617 preserves anassociation of the data domain, access component 617 may determine thedata domain based upon the association.

For instance, the access component 617 may consult a look-up table ordatabase, read a data domain identifier associated with the requesteddata or identify a data domain associated with a portion of memory indata store 614 that contains the requested data to determine theassociated data domain.

In an embodiment, the access component 617 may evaluate one or more datacharacteristics of the requested data and compare the one or more datacharacteristics with data classifications specified in the currentsecurity policy. The access component 617 may assign an assigned datadomain based upon the evaluation and comparison.

Access component 617 then determines whether to grant access to therequested data by comparing the assigned access domain of the requestingcomponent 615 and the assigned data domain with permissions specified inthe current security policy to determine if the requesting component 615is authorized to access the requested data in step 820. If therequesting component 615 is not authorized to access the requested data,the access component 617 terminates the request in step 825, optionallyby returning an error notification. If the requesting component 615 isauthorized to access the requested data, the access component 617 grantsaccess to the requested data in step 830.

The determining whether to grant access may further comprise determininga specific right of access as defined in the security policy. Forinstance, the access component 617 may grant access and forward therequested data to the requesting component 615, write an amendmentspecified by the requesting component 615 to the requested data andstoring the amended data in place of the requested data in the datastore 614 or deleting the requested data from the data store 614.

Referring to FIG. 6b , in an embodiment, retrieval component 619 maycomprise an intermediary between a requesting component 615 and anaccess component 620 that controls data store 621. As indicated in FIG.6b , retrieval component 619 may further control access to a common datastore 616 that may store data from various applications. Retrievalcomponent 619 may control access to the common data store 616 in theconventional manner of computing devices, or may itself operate as anaccess component 617. Common data store 626 may comprise a sharedportion of memory along with data store 621, or may comprise a separatememory such as flash memory on the computing device 610 or removableflash memory on the computing device 610.

In the embodiment of FIG. 6b , requesting component 615 directs itsrequest for data to retrieval component 619. Requesting component 615may or may not include in its request a component identifier or anaccess domain identifier identifying the requesting component 615 or theaccess domain of the requesting component 615 respectively.

Retrieval component 619 may interface with more than access component620, though in the embodiment of FIG. 6b only a single access component620 is illustrated, along with common data store 616. Where the requestfor data involves data under the control of retrieval component 619, forinstance common data store 616, retrieval component 619 handles therequest directly and may grant access as specified above.

Where the request for data involves data under the control of accesscomponent 620, retrieval component 619 forwards the request, and anycomponent identifier or access domain identifier, to access component620. In an embodiment, retrieval component 619 may classify therequesting component 615 against a current security policy, and assignan access domain to the requesting component 615 and forward an assignedaccess domain identifier to the access component 620. Access component620 receives the request and evaluates any component identifier, accessdomain identifier or assigned access domain identifier received with thedata domain and the current security policy to determine whether therequesting component 615 is authorised to access the requested data.

Referring to FIG. 8b , the access component 620 may receive a requestfor data submitted by the retrieval component 619 along with a componentidentifier, access domain identifier or assigned access domainidentifier of the requesting component 615 in step 900. Access component620 identifies an assigned data domain of the requested data and anassigned access domain of the requesting component 615 in step 910.Access component 620 may identify the assigned access domain bycomparing the component identifier, access domain identifier or assignedaccess domain identifier, with security information in the currentsecurity policy to identify the assigned access domain. In an aspect,the current security policy may comprise an updated security policy thatmay differ from the security policy used to define the access domainidentifier, and the access component 620 may consult the updatedsecurity policy to identify the assigned access domain that may differfrom the access domain identified by the access domain identifier.

Access component 620 evaluates the assigned data domain and the assignedaccess domain based on the current security policy to determine whetherthe requesting component 615 is authorised to access the requested datain step 920. If the requesting component 615 is not authorised to accessthe requested data, the access component 620 may terminate the requestand optionally return a request denial to the requesting component 615in step 925. If the requesting component 615 is authorised to access therequested data, the access component 620 may grant access to therequested data in step 930. The granted access may, for instance,include forwarding the requested data to retrieval component 615,writing an amendment specified by the requesting component 615 to therequested data and storing the amended data in place of the requesteddata in the data store 621 or deleting the requested data from the datastore 621.

Referring to FIG. 4b , in an embodiment, a system may be providedwhereby a host server 410, such as a server in host system 250, may seta security policy to control access to data used on computing devicessuch as computing device 400. The server may forward the security policyto the computing device 400, the security policy defining data domains,access domains and corresponding permissions for granting access to datastored on, or accessible by, the computing device 400. The securitypolicy may define the data domains by specifying data classificationsthat identify and correlate data content with each of the data domains.The computing device 400, in implementing the security policy, mayemploy access components 512 617 620, such as applications running onthe device that are operative to access and evaluate specific types ofdata, to classify the data handled by each application and assign theclassified data to the data domains specified in the security policy.

In an aspect, the host server 410 may be operative forward an updatedsecurity policy to the computing device 400. The updated security policyreplacing an existing security policy being applied by the computingdevice 400 to grant access to data stored on the computing device 400.

Access components 512 617 620 may consult the updated security policy togrant access to data under their control. The updated security policymay, for instance, specify data classifications or data characteristicsassociated with a particular data domain such that the definition of adata domain changes. The updated security policy may further changeaccess permissions granted to access domains over particular datadomains. Accordingly, the updated security policy forwarded by the hostserver 410 may be implemented by the access components 512 617 620 tocontrol access to data based upon data-type characteristics or datacontent characteristics.

In an embodiment, an access component 512 617 620 may assign a dataobject to a data domain based upon content such as an author orrecipient of the object. For instance, a mail application may assignmail sent to a corporate address as belonging within the corporatedomain and mail sent to a personal address as belonging in the public orcommon domain. The mail application may assign the mail by accessing amail object, evaluate content fields or metadata of the mail object toidentify a sender or recipient of the mail object. The mail applicationmay further classify mail objects sent or received to a specificcorporate mail domain as being within a corporate domain. Accordingly,the mail application may restrict future access to the mail assigned tothe corporate domain to applications of an assigned access domain thatare authorized to view data that falls within the corporate domain.

In an embodiment, an access component 512 617 620 may assign a dataobject to a data domain based upon content such as a time of datageneration/capture, a location of the device or a combination of bothfactors. For instance, a photo application may capture a photograph andclassify the data to the corporate domain if it is captured duringbusiness hours and/or the device is located at the corporate location.The same photo application may capture a photograph and classify thedata to the public/common domain if the data is captured after businesshours, on the weekend or at a user's home location.

In both instances, the security policy may set what permissions may beallowed, but the access components that control specific data types mayassess different criteria based upon data content to apply thepermissions appropriately to classify data as belonging to a particulardata domain.

Where an updated security policy may be sent to the computing device400, the access components 512 617 620 may be operative to apply theupdated security policy at a time that data is requested by a requestingcomponent 615. Accordingly, data may be classified and stored by thecomputing device 400 in association with an assigned data domain underan existing security policy. The computing device 400 may receive anupdated security policy that may change access permissions based uponrequesting component, access domain, data domain or datacharacteristics. The access components 512 617 620 may enforce thesecurity policy at a time that data is requested by a requestingcomponent 615 by identifying an access domain of the requesting domainand a data domain of the requested data based upon the updated securitypolicy and determining whether to grant access the data by comparing theaccess domain and the data domain with the permissions specified in theupdated security policy. The identifying the data domain may compriseevaluating one or more data characteristics of the requested data andassigning a data domain to the requested data at the time of requestbased on the one or more data characteristics and the updated securitypolicy.

In an embodiment where the data may be stored in association with a datadomain identifier assigned to the data at the time of storage, theidentifying the data domain may comprise evaluating one or more datacharacteristics of the requested data wherein the one or more datacharacteristics may include both the data domain identifier associatedwith the requested data and other content of the data.

The access components 512 617 620 may evaluate the data characteristicsby retrieving the associated data domain identifier and matching theretrieved data domain identifier with an assigned data domain specifiedin the updated security policy. Accordingly, data may be stored inassociation with a data domain specified in a security policy and yetaccess may be granted by the access component 512 617 620 based upon theassigned data domain specified in the updated security policy.

The access components 512 617 620 may further evaluate the datacharacteristics by retrieving both the data domain identifier and theother content and matching the retrieved data domain identifier andother content with an assigned data domain specified in the updatedsecurity policy. Accordingly, data may be stored in association with adata domain specified in one security policy and yet access may begranted by the access component 512 617 620 based upon the other contentand an assigned data domain specified in the updated security policy.

The systems and methods disclosed herein are presented only by way ofexample and are not meant to limit the scope of the subject matterdescribed herein. Other variations of the systems and methods describedabove will be apparent to those in the art and as such are considered tobe within the scope of the subject matter described herein. For example,it should be understood that steps and the order of the steps in theprocessing described herein may be altered, modified and/or augmentedand still achieve the desired outcome. It will also be appreciated thatalthough the embodiments herein have been directed generally to calendarevents, similar systems and methods may be carried out in respect ofother types of time or schedule-based user data.

The systems' and methods' data may be stored in one or more data stores.The data stores can be of many different types of storage devices andprogramming constructs, such as RAM, ROM, flash memory, programming datastructures, programming variables, etc. It is noted that data structuresdescribe formats for use in organizing and storing data in databases,programs, memory, or other computer-readable media for use by a computerprogram.

Code adapted to provide the systems and methods described above may beprovided on many different types of computer-readable media includingcomputer storage mechanisms (e.g., CD-ROM, diskette, RAM, flash memory,computer's hard drive, etc.) that contain instructions for use inexecution by a processor to perform the methods' operations andimplement the systems described herein.

The computer components, software modules, functions and data structuresdescribed herein may be connected directly or indirectly to each otherin order to allow the flow of data needed for their operations. It isalso noted that a module or processor includes but is not limited to aunit of code that performs a software operation, and can be implementedfor example as a subroutine unit of code, or as a software function unitof code, or as an object (as in an object-oriented paradigm), or as anapplet, or in a computer script language, or as another type of computercode.

A portion of the disclosure of this patent document contains materialwhich is subject to copyright protection. The copyright owner has noobjection to the facsimile reproduction by any one of the patentdocument or patent disclosure, as it appears in the Patent and TrademarkOffice patent file or records, but otherwise reserves all copyrightswhatsoever.

We claim:
 1. A method for a computing device controlling access to datastored on a data store of the computing device, an access component ofthe computing device having control over access to the data, the methodcomprising the access component: receiving a request for data from arequesting component; identifying an assigned access domain of therequesting component and an assigned data domain of the requested databased on a security policy; determining whether the requesting componentis authorized to access the data by comparing one or more permissionsspecified in the security policy with each of the assigned access domainand the assigned data domain; and, as a result of determining that theassigned access domain is authorized to access the assigned data domain,providing access to the data.
 2. The method of claim 1 wherein theidentifying the assigned data domain of the data comprises evaluatingone or more data characteristics of the data and identifying theassigned data domain based on the one or more data characteristics andthe security policy.
 3. The method of claim 2 wherein the one or moredata characteristics comprises a data domain identifier associated withthe data, and the evaluating comprises retrieving the data domainidentifier and matching the retrieved data domain identifier with acorresponding assigned data domain specified in the security policy. 4.The method of claim 2 wherein the data comprises a data objectaccessible to the access component and wherein the evaluating one ormore data characteristics comprises the access component accessing thedata object and analysing the data object to evaluate a content of thedata object and comparing the content with data classifications definedin the security policy to identify the assigned data domain.
 5. Themethod of claim 1 wherein the identifying the assigned access domain ofthe requesting component comprises receiving an access domain identifierfrom the requesting component and matching the received access domainidentifier with a corresponding assigned access domain specified in thesecurity policy to identify the assigned access domain.
 6. The method ofclaim 1 wherein before the access component receives the request, theaccess component classifies the data to assign a data domain by:evaluating data characteristics of the data; comparing the datacharacteristics with data classifications defined in the security policyto assign a data domain; and, storing the data in the data storeassociated with the data domain.
 7. The method of claim 6 wherein theidentifying the assigned data domain comprises evaluating the datadomain stored in association with the data, and comparing the datadomain with data classifications defined in the security policy toidentify the assigned data domain.
 8. The method of claim 1 furthercomprising: the computing device receiving an updated security policyfrom a server over a network connection and the computing devicereplacing the security policy with the updated security policy such thatoperations of the access component that were based on the securitypolicy become based upon the updated security policy.
 9. A computingdevice operative to control access to data stored on a data store of thedevice, the computing device comprising: a processing unit incommunication with the data store; a requesting component operative onthe device to request data stored in the data store; an access componentoperative on the device to: control access to data stored in the datastore; receive requests for data from the requesting component; identifyan assigned access domain of the requesting component and an assigneddata domain of the data based on a security policy; determine whetherthe requesting component is authorized to access the data by comparingone or more permissions specified in the security policy with each ofthe assigned access domain and the assigned data domain; and, provideaccess to the data as a result of determining that the assigned accessdomain is authorized to access the assigned data domain.
 10. Thecomputing device of claim 9 wherein the access component is operative toidentify the assigned data domain of the requested data by evaluatingone or more data characteristics of the data and identifying theassigned data domain based on the one or more data characteristics andthe security policy.
 11. The computing device of claim 10 wherein theone or more data characteristics comprises a data domain identifierassociated with the data, and the access component is operative toevaluate by retrieving the data domain identifier and matching theretrieved data domain identifier with a corresponding assigned datadomain specified in the security policy.
 12. The computing device ofclaim 10 wherein the data comprises a data object and wherein the accesscomponent is operative to access the data object accessible to theaccess component and to evaluate the one or more data characteristics byaccessing the data object and analysing the data object to evaluate acontent of the data object and compare the content with dataclassifications defined in the security policy to identify the assigneddata domain.
 13. The computing device of claim 9 wherein the accesscomponent is operative to identify the assigned access domain of therequesting component when the access component receives an access domainidentifier from the requesting component by matching the received accessdomain identifier with a corresponding assigned access domain specifiedin the security policy to identify the assigned access domain.
 14. Thecomputing device of claim 9 wherein the access component is operative toclassify the data to assign a data domain before the access componentreceives the request, by: evaluating data characteristics of the data;comparing the data characteristics with data classifications specifiedin the security policy to assign a data domain; and, storing the data inthe data store associated with the data domain.
 15. The computing deviceof claim 14 wherein the access component is operative to identify theassigned data domain by evaluating the data domain stored in associationwith the data, and comparing the data domain with data classificationsdefined in the security policy to identify the assigned data domain. 16.The computing device of claim 9 further comprising a networkcommunications subsystem, the computing device operative to receive anupdated security policy from a server through the network communicationssubsystem, and the access component is further operative to replace thesecurity policy with the updated security policy such that operations ofthe access component that were based on the security policy become basedupon the updated security policy.
 17. A non-transitory computer-readablemedium comprising instructions which, when executed by a processor of acomputing device, cause the processor to perform instructions forcontrolling access to data stored on a data store of the computingdevice, an access component of the computing device having control overaccess to the data, the instructions comprising instructions for:receiving a request for data from a requesting component; identifying anassigned access domain of the requesting component and an assigned datadomain of the requested data based on a security policy; determiningwhether the requesting component is authorized to access the data bycomparing one or more permissions specified in the security policy witheach of the assigned access domain and the assigned data domain; and, asa result of determining that the assigned access domain is authorized toaccess the assigned data domain, providing access to the data.
 18. Thenon-transitory computer-readable medium of claim 17 wherein theidentifying the assigned data domain of the data comprises evaluatingone or more data characteristics of the data and identifying theassigned data domain based on the one or more data characteristics andthe security policy.
 19. The non-transitory computer-readable medium ofclaim 18 wherein the one or more data characteristics comprises a datadomain identifier associated with the data, and the evaluating comprisesretrieving the data domain identifier and matching the retrieved datadomain identifier with a corresponding assigned data domain specified inthe security policy.
 20. The non-transitory computer-readable medium ofclaim 18 wherein the data comprises a data object accessible to theaccess component and wherein the evaluating one or more datacharacteristics comprises the access component accessing the data objectand analysing the data object to evaluate a content of the data objectand comparing the content with data classifications defined in thesecurity policy to identify the assigned data domain.